Oh no! I’m in the same boat, after a simple trial I was going to recommend passbolt to my startup instead of 1password or Bitwarden… but I arrived to this page after looking for a way to enable something I thought was a given in any password manager 
so this is not implented in your PRO version either?.. I understand you are OpenSource and stretched thin but please, this is a complete deal breaker to any company, several security policies in my company and others will not let you have access to accounts if you haven’t set up MFA!! I really wonder what happen in the last couple of years with your priorItization, but saving secrets without MFA is A HUGE SECURITY RISK, so this should have been implemented ages ago IMHO. Like some people here before mentioned, please please set the string generator without the fancy QR screen scrapping code as first step, but deliver that ASAP if you can please!
@mninoruiz You might be combining two issues. Passbolt has always been MFA because it uses a key, and a passphrase. It has also added an additional feature of MFA which acts as a third factor, but aides in organizations using their own MFA on passbolt.
It seems you are saying secrets are saved without MFA access to them, but that’s not the case. No one is saying to do this or being made to do this.
Secrets have had encrypted descriptions which can handle qr strings, and this thread is about adding a feature for TOTP handling, instead of it being accomplished through another app. The access of focus is access to non-passbolt apps which have MFA.
The feature is one of convenience. In some cases, maybe yours, it’s a reason to not use passbolt yet. But that’s not the same as suggesting passbolt decisions have resulted in a “HUGE SECURITY RISK”. Maybe clarify what you mean?
1 Like
Oh apologies @garrett I didn’t make myself clear… I wasn’t implying that Passbolt is not safe, on the contrary, this concept of passphrase and security letters that you have I’ve not seen them before and it is awesome!
Also, yes, as stated at the beginning of this thread, this is the functionality of being able to use Passbolt as MFA all in one place, not about Passbolt not having MFA… What I meant to say is that, since MFA is mandatory for most places, not providing that feature IN THE SAME Secret entry (as your competition does from long time ago) results in incomplete Password Manager solution at the same level than 1Password or Bitwarden. That is different from not having MFA to access your product! But your product is about secret management, and nowadays that MUST include MFA for it to be complete, otherwise you wouldn’t have to complete functionality with another device/tool.
Among other reasons, not having MFA results in:
- Not being able to share secrets where MFA is mandatory (so I can’t use it in a team for places where license restrictions make it impossible to give a user to everybody, so we have to share)
- The other side of the coin, when you want all the company e.g. sales / advertising to use MFA, passbolt does not not encourage enabling MFA in the first place, since the double friction of using another device like your phone makes it hard, specially when you have hundreds of sites, try scrolling that on a Phone in Authy or GAuth, impossible! I use those precisely for very sensitive MFA like the password manager itself
I guess you consider that as an extra, matter of convenience, but for me and most people, for a secret management solution, it is incomplete and find it strange you didn’t prioritise it before… but by all means I understand it’s open source, Im very impressed with your product and finger crossed it will come soon!
2 Likes
@mninoruiz I very much appreciate the clarifications.
I want to share some things from my point of view - but it’s not a response to what you were saying. Just some things that are related that I would like to mention.
When I first started using passbolt, I was implementing it at a counseling center where office staff shared passwords on a spreadsheet. All passwords were the same so I’m not sure why they bothered noting them. When I looked at all the password manager options at the time, I needed something with no subscription costs because the counseling center was financially strained. Passbolt met the minimum requirements for my need, because I need real security. I knew it could only get better. It was super bare bones.
All of the features that people today want backported to the CE didn’t even exist then in the Pro edition! I was never on the app development team but did help with updating web documentation at one point, specifically the API documentation. So, I’ve worked with the people at passbolt.
When I was new to passbolt I misunderstood that open source equated to community-built. I thought, look how active the forum is! That should bode well for quick improvements. But actually, it pulled from development in some ways. So I started making contributions by helping other users. There are many community contributions - and not just fixes but also like this thread itself with the questions and the challenges and pressure. It’s important to know that the organization of passbolt is a growing startup that in my view is less like break things and move fast game and more like NASA.
“The probe must travel for decades to the outer edge of the solar system and be able to send back data years after no one has been able to fix anything.” Maybe it’s not that extreme, but you get the point. No one gets impressed by how it took five years to build a probe. They get impressed by how far out it was able to go.
It is hard to put into words the level of concern and review that goes into passbolt with regard to security. They care. The team will seem slow. At the same time they aren’t on the front page for security issues. Their work is their signature.
Consider the following:
- they develop across numerous operating systems
- those who develop also will provide support and not just to those on Pro - they help in the community too, with “stupid stuff” like installation issues. They actually care about the people using the product.
- when they add a feature they get it reviewed for security
- a couple years ago there was a major overhaul of the app that took resources away from progress but provided something better to build on going forward
- there wasn’t even a mobile app but now we have one
I’ve started businesses and get it: if they break their budget and run out of runway we are left with a cool app that has a lot of backlog requests. They have accomplished some major things in the last two years that weren’t features but actually app capabilities. But they’ve also added a ton of features! I mean, we didn’t even use to have a way to change our passphrase.
I volunteer to help in the forum because I still believe it’s worth it. Trust me, I develop outside of passbolt and have my own views on how I would do it, but the fact is I carry no business risk in this venture. My personal choice to help is because I want to support the team to operate in the vision they have set for themselves. They don’t try to do everything at once and I like that because it’s real life and it works.
In my businesses, the one thing my clients definitely are not asking for me to do is make decisions that result in my not being around. One of passbolt’s strengths is ignoring the complaints they don’t want to ignore but must. The last thing we need is something that looks safe and works great but is inherently broken. So much of the app environment out there is sloppy with corner cutting on security. Passbolt won’t cut corners.
The members of this community are awesome. It’s one of the good ones. It’s all of you in this thread, and the support you express. I thank you for that.
14 Likes
We just did a migration of a working v2.11 (from august 2019) this week, so it very much feels like this sometime. 
2 Likes
So better than NASA.
2 Likes
Agree! Thanks for the time to respond and everything, keep up the good work!
4 Likes
I just recently installed this app on my server thinking it had this feature, Anyways I think this is a Must for this app to success.
How long for this to be release on the CE?
Anyways, is there any way of supporting this project with donations? i mean i rather pay a donation than a monthly fee for the PRO version that has TOTP enable for websites.
thanks
I was bamboozled by the Passbolt MFA mention on their price’s page.
It clearly makes the app “useless” for us since every account we have has MFA.
kinda sad, Passbolt looks so cool, I guess i’ll keep my installation aside for when it’ll be ready
MFA is available in all versions since v3.10. The pricing page maybe has not been updated yet when you checked.
TOTP support will be available on all versions, implementation has started on mobile.
5 Likes
My bad, when speaking of MFA, I was referring to TOTP.
It’s good to hear that it’s on the way, it’s so vital.
3 Likes
i am also waiting on this big time.
I too am waiting for this moment, but it didn’t seem to me that there is one in the announcement of the news, I know it won’t come very soon 
@garrett - Storing TOTP is essential for a Password Manager since many years back. Would also suggest to implement this ASAP since without this Passbolt is just a nice to have…
Would love to have this in my organization but since MFA is mandatory on every Business Platform it is not interesting for us ATM. 
Off to KeepassXC again meh…
how much longer for this, waiting patiently . thanks
1 Like
Beta version is coming out soon. The topic was discussed at Passbolt Open Mic on Tuesday. It looks great.
1 Like
yeah, i missed it… what is the date of beta version release. will be cool if you can share about the open mic. thanks
I did not take any screen shots from the Passbolt Open Mic. The alpha version started to take shape in February if I remember correctly, so I would say the Passbolt Dev team is working hard on TOTP.
I don’t remember which version number beta TOTP will be released on, but I do remember them saying the beta version is coming soon 
1 Like
We would be willing to upgrade to the beta to test this (and other features). Please let us know when the beta is available and how to go about installing it!
Thanks!
Hello @anomaly0617 Welcome to the Passbolt Community 
I am just a CE user and a community member.
Thank you for your offer to do beta testing 
Passbolt will definitely be posting an announcement when TOTP beta is released 
Soon 